Eurosmart
Eurosmart is a not-for-profit organisation thatrepresents the Digital Security Industry, is committed to expanding the Digital Security market and developing Smart Secure Devices and Secure Software and their related standards.
ID: 358126150252-49
Lobbying Activity
Response to Digital package – digital omnibus
14 Oct 2025
While Eurosmart welcomes the Commissions work on the Digital Omnibus, we note with concern that the current Call for Evidence appears to narrow the initial ambition of this initiative. The Omnibus was originally conceived as a bold and strategic exercise to streamline Europes increasingly complex digital regulatory landscape and to remove inconsistencies between key legislative acts. However, its current scope seems limited to administrative simplification, without sufficiently addressing the substantive overlaps already identified by policymakers and stakeholders. Eurosmart therefore calls for the Digital Omnibus to fully assume its political and strategic role: ensuring coherence across Europes digital regulatory landscape, enhancing legal certainty, and enabling innovation grounded in trust, security, and fundamental rights. Beyond necessary administrative simplifications, Eurosmart believes the true objective of the Omnibus should be to strengthen European competitiveness and reinforce confidence in secure digital technologies. Eurosmart has identified several areas where the Digital Omnibus can deliver real impact by harmonsing requirements from different EU legislative instruments, and more generally ensuring consistency across Europes digital regulatory landscape while enabling a necessary risk-based approach. See attached document and letter: 1. Excessive constraints on QSCD certification imposed by eIDAS 2. Interplay between NISD2 and the CRA - Streamlining Compliance for Remote Data Processing Solutions Under the CRA and NISD2 - Avoiding Double Assessment for Products Covered by Both the CRA and NISD2 3. Interplay between the CRA and the CSA 4. Harmonization of conformity assessment practices in the CRA, CSA, NISD2, AI Act and eIDAS 5. Harmonisation of vulnerability management. 6. Provide clear legal framework for Common Specifications and technical specifications used to support implementation of legal acts 7. Enhance the CSA to provide mechanisms for risk management over certified products 8. Clarification on the implementation of NISD2 9. Making the AI Act Work - Impact of delayed harmonized standards - Criteria for alternative measures - Consistent implementation across Member States - EU capability to evaluate and benchmark AI systems - Interplay with GDPR
Read full responseResponse to Amendment to the list of the state-of-the-art documents supporting the EUCC scheme
29 Aug 2025
Eurosmart welcomes the European Commissions proposed amendments to the EU Cybersecurity Certification Scheme on Common Criteria (EUCC). While broadly supportive of the objectives, Eurosmart identifies several areas where clarification and adjustments seem to be necessary to ensure practicality, and alignment with existing practices (see attached document): 1. Definition of Major Changes: Current definition only covers negative impacts. Eurosmart recommends extending it to any significant change positive or negative -that affects assurance. 2. Security Target Publication : Only sanitised versions of security targets should be made publicly available. This ensures consistency with Annex V of Implementing Regulation 2024/482 and protects sensitive information. 3. Application of State-of-the-Art (SotA) Documents : It must be clear that SotA documents applicable only if published before the start of an evaluation. Once an evaluation started, the version in force should apply to avoid rework and inconsistencies. 4. Clarity on Protection Profiles (PPs) : Annex II should explicitly list mandatory PPs (at AVA_VAN.4 or 5), while Annex III should clearly cover recommended PPs. Eurosmart calls for clarification on whether Annex III PPs must become EUCC-certified or recognised SotA documents. 5. Re-Assessment and Patch Management : The re-assessment process must clearly define outcomes: either confirmation or modification of assurances, depending on results. Patch handling procedures should clarify when a new certificate is (or is not) issued, ensuring alignment between Annex IV provisions and Article 13/19 of the Regulation. 6. Annex V: Intended Use and Certification Reporting : Requirements for intended use should be more specific and less subjective, to ensure clear understanding across all stakeholders. Certification bodies should not be burdened with summarising vulnerability management procedures; instead, certificate holders should provide publicly available information in line with Article 8(b).
Read full responseResponse to The EU Cybersecurity Act
20 Jun 2025
Eurosmart supports a focused revision of the EU Cybersecurity Act (CSA) to strengthen ENISAs role, preserve the integrity of the European Cybersecurity Certification Framework (ECCF), and streamline certification. The CSA remains central to the EUs cybersecurity framework, and its alignment with other regulations (e.g., CRA, NIS2, AI Act) is essential to reduce duplication and simplify compliance. Rather than a full overhaul, Eurosmart supports targeted improvements (Option 3), preserving key CSA elements like accreditation and supervision of Conformity Assessment Bodies (CABs), peer reviews, and mandatory penetration testing for high assurance levels. These provisions are critical to maintaining trust, quality, and consistency in certifications across the EU. Penetration testing at high assurance levels must remain mandatory. It provides deep, real-world validation of security and ensures backdoor-free products. Oversight by public authorities is vital to preserve integrity and public trust. CABs must continue to be accredited by National Cybersecurity Certification Authorities (NCCAs), with processes aligned to standards like ISO/IEC 17065 or 17025. Explicitly referencing these standards in a CSA annex would enhance clarity. Certification at the high level must only be issued by NCCAs or by CABs formally delegated by them. This governance ensures uniformity, strong public oversight, and reliable technical evaluations such as code reviews. Delegation must be clear, transparent, and subject to supervision and peer review. Scheme development has been slow. Eurosmart urges a more agile, strategic process, prioritizing transversal schemes and reusing existing technical foundations. The EUCC scheme serves as a model. ENISA should remain the main coordinator, Ad Hoc Working Group (AHWG) model remains the most suitable option to involve qualified experts from relevant sectors. This process deserves more transparency, mid-term development consultations should be conducted through accessible platforms, and adequate resourcing are vital to effective and timely scheme development. Non-technical requirements should support strategic goals. At higher assurance levels, optional modules could include compliance with GDPR and demonstration of immunity from non-EU data access laws. These would strengthen digital sovereignty and user trust while avoiding excessive burdens. Ongoing maintenance is essential. The CSA should formalize ECCG subgroups for each scheme, co-led by ENISA and the Commission, with NCCA involvement. These subgroups would manage updates, consult stakeholders, and publish annual roadmaps. ISACs like the EUCC ISAC should support them as technical bodies, offering trusted, agile input from vendors, labs, and authorities. A formal contractual Public-Private Partnership (cPPP) model would ensure efficient and expert-driven maintenance. Certification must also consider product lifecycles. Long-life products like QSCDs may not remain fully compliant over time. Conditional certifications, subject to risk-based reviews, should be allowed. ISACs can help assess vulnerabilities and coordinate stakeholder responses when issues arise, maintaining trust and accuracy in communications. In summary, Eurosmart calls for a CSA revision that builds on the existing framework,
Read full responseResponse to Technical description of important and critical products with digital elements
18 Apr 2025
The attached document compiles the feedback provided by Eurosmart on the draft Implementing Regulation concerning the technical description of the categories of important and critical products with digital elements. The feedback aims to contribute to the refinement of the Regulation by ensuring that, its is terminology consistent and aligned with industry standards and the market reality, and its definitions appropriately focused on cybersecurity-relevant core functionalities. The Eurosmart feedback encompasses 31 targeted comments addressing the following key aspects: (1) Need for Terminology Clarification The Regulation must incorporate clear, precise, terminology. Aligning terminology with current industry practices and recognized standards is essential to avoid ambiguity. Product categories, especially those involving tamper-resistance, microcontrollers, microprocessors, and smartcards, require more technically accurate and detailed descriptions to avoid misinterpretation. (2) Avoidance of Overgeneralization: Broad or ambiguous categorizations must be refined to prevent misclassification and to ensure that only relevant products are included under critical or important categories. (3) Security Functionalities Must Be Clearly Distinguished: Security-related functionalities should be distinctly outlined to differentiate products based on the criticality of their security roles, especially for integrated circuits and network management systems. Enhanced Coherence Between Recitals and Annexes The regulatory recitals should be made coherent and supportive of the detailed technical content specified in the annexes to ensure legal and practical alignment. (4) Core Functionalities: The annexes should focus on identifying and describing the core functionalities. This ensures that regulatory obligations target the essential aspects that truly impact security.
Read full responseResponse to Digitalisation of identity cards issued to EU citizens
17 Jan 2025
Eurosmart welcomes the proposal to digitalize national identity cards, enhancing free movement within the EU/SAC Area and leveraging the EUDI Wallet introduced by the amendment to the eIDAS Regulation. However, Eurosmart identifies the following comments: 1.Security Aspects: The proposal lacks clarity on Digital Travel Credentials (DTCs) security aspects. Eurosmart recommends explicitly addressing in Article 5 security of issuance and disclosure process, authentication and validation, and revocation. Eurosmart also suggests requiring end-to-end encryption for DTC issuance in Article 2. 2.Definitions of Creation and Issuance: These terms are not clearly defined. Eurosmart recommends adding precise definitions to distinguish between these two actions, as each have distinct technical implications. 3.Technical Feasibility of Creation: Article 2.3(2) requires Member States to ensure actions before DTC creation. However, since creation seems to be under the holders control (e.g., copying chip content to a mobile), this is odd as it places responsibility on Member States. The distinction between DTC creation and issuance should be clarified. 4.Verification of the storage medium of the identity card: Article 2.3(2) requires verification of the identity cards storage medium integrity and authenticity but lacks provisions to verify identity cards validity (e.g., revoked, suspended, or not revoked cards). Eurosmart recommends the proposal to distinguish storage medium (chip), and the data stored in it, and specify how to verify authenticity, integrity, and validity of both. 5.Stakeholder Involvement: Eurosmart advocates for the creation of an expert group to support the technical specifications and procedures outlined in Article 5. This group should include stakeholders such as industry experts and carriers relevant to DTCs. 6.Implementation Timeline: The proposed 12-month timeline for the implementation of Articles 2(1) and 2(2) seems too short. Eurosmart suggests extending the implementation period to 24 months to allow sufficient time for procurement, deployment, testing, and going live. 7.Content of DTCs: Eurosmart recommends clarifying in a dedicated recital that DTCs should allow for up-to-date data (e.g., a recent portrait or current address), to enhance trust in the quality of data provided through DTCs. 8.Definition of DTCs: Eurosmart recommends a clearer definition of DTCs than the one provided in Article 13 of the proposal on EU Travel Application, covering its characteristics such assurance level and validity. Article 5 should focus on technical specifications, while legal aspects should be in the core regulation. The link to the EU Travel application should be clearer, particularly with Article 13, and EUDI Wallet provisions should emphasize trust, security, and binding quality. 9.Integration with the EUDI Wallet: The proposal lacks clarity on DTCs forms under the EUDI Wallet ecosystem (e.g., EAA, QEAA PID) or which entity would play the role of (Q)EAA or PID provider, especially when using the EU Digital Travel Application to create DTCs. 10.Viable Business Model: Eurosmart highlights recommends viable business model for the private sector willing to provide products, systems and services to support the uptake and deployment and DTC, but also to develop and propose use cases based on these DTCs. 11.Technical Integration in EUDI Wallet: Eurosmart calls for clarifications for the technical integration of DTCs within the EUDI Wallet, including: -Protocols for DTC provisioning and presentation (e.g., ICAO specifications for border-crossing in the context of the EU Digital Travel Application; ISO/IEC 23220-4 for broader use cases within the EUDI Wallet). -Clear security, trust level, and binding quality standards of DTCs within the EUDIW. -Privacy measures, as selective data disclosure or lower-resolution portraits in certain use cases to protect sensitive information when presenting DTCs with an EUDI Wallet.
Read full responseResponse to Amendment of the list of the state-of-the-art documents supporting the EUCC scheme
18 Oct 2024
Eurosmart welcomes the constant efforts of the European Commission and the European Cybersecurity Certification Group's (ECCG) on EUCC maintenance to update the EU Cybersecurity Common Criteria-based cybersecurity certification scheme (EUCC). While the proposal introduces some positive elements, we believe there are key areas that require further attention to ensure effective international recognition, smoother transition period, and a more agile and efficient update mechanism for annexed documents. 1. Continuity Beyond 2027: Need for Certification Using CCRA Protection Profiles Article 3.2 (revised): "Until 31 December 2027, an ICT product may be certified against its security target, which incorporates a protection profile issued under national cybersecurity certification schemes that have applied the standards listed in Article 49(4), points (a) to (d)." While this provision is positive, but it remains insufficient. There is a clear need for certification using Common Criteria Recognition Arrangement (CCRA) Protection Profiles after the 2027 deadline. It is essential to be able to claim conformance to a SOGIS PP, an EUCC PP, or a PP under CCRA, and to ensure that this information is explicitly stated in both the certificate and the certificate report. Moreover, International recognition remains a significant uncertainty for the industry, whilst international recognition is essential for businesses. Member States should uphold mutual recognition rules, particularly the CCRA, until the EUCC scheme has an equivalent agreement with international communities. Additionally, the text does not include provisions for recognizing Protection Profiles (PP) that have been recognised outside the EU (as mentioned on the CC portal). 2. Clarification on the Transition Period from CC 3.1 to CC:2022 There is a need for clarification regarding the transition from Common Criteria (CC) version 3.1 to CC:2022 in the EUCC certification scheme. Specifically: Implementing Act, Article 2, points (1) and (2), have been amended to reference CC:2022. Amended Article 3 introduces a transition period, allowing certificates to be issued under the EUCC scheme by applying the standards listed in Article 49(4), points (a) to (d), until 31 December 2027. However, Article 49, §(4) (a) to (d), still refers to CC v3.1. This leads to the statement that CC V3.1 could be used for EUCC certification of products if the certificate is issued before 31st December 2027. Further clarification is necessary to confirm this interpretation and to ensure a smooth transition between versions. 3. Article 49.4(a) - ISO/IEC 15408-4:2009 and ISO/IEC 15408-5:2009 Article 49.4, point (a), references ISO/IEC 15408-4:2009 and ISO/IEC 15408-5:2009. These parts of the ISO/IEC 15408 standard were not introduced until the 2022 version of the Common Criteria (CC). Therefore, it is recommended that these outdated references be removed to avoid confusion and ensure alignment with the current standards. 4. Annexes - need for a More Dynamic and Efficient Update Process Eurosmart has identified that several documents listed in Annex 1 are not final versions, and other key documents are missing. This is likely due to ongoing work by the EsEm. However, the static nature of Annexes creates inefficiencies in maintaining up-to-date references. The process to update these annexes are cumbersome, which hinders the ability to reflect the latest state-of-the-art documents. This approach is not suitable for instance for the list of recommended PPs. Eurosmart recommends a more agile approach by referencing a dynamic web portal maintain by ENISA or the Commission. Moreover the act should specify the process to reference these PPs. The current list of PPs in the annexes does not appear to be complete and up to date. Eurosmart has identified the following missing PPs (see attached document).
Read full response9 Sept 2024
European Digital Identity Wallets Person Identification data and Electronic Attestations of Attributes: Principle of Data Minimisation Definitions: The different implementing acts should clearly state that critical assets should be protected (PID attestations etc.) in integrity, authenticity and confidentiality Data minimisation principle to apply to mandatory PID data set: The annex of the proposal outlines a set of mandatory personal identification data attributes that PID providers must comply with. This list includes additional mandatory PID data set is much wider than in the wallet than in other official identity documents. To uphold the data minimization principle set forth in Article 5 of the GDPR, the PID data set should be strictly limited to what is necessary and accurately reflect the information contained in national identity documents (eg. eID cards, electronic passport etc.). The inclusion of additional mandatory attribute definitions could raise concerns about creating a diverging or stand-alone online identity for citizens. Furthermore, the legal basis for eIDAS 2 (Article 114 of the TFEU), which pertains to Member States' consumer legislation, could be called into question due to these additional requirements.
Read full responseResponse to Functionalities and integrity of European Digital Identity Wallets
9 Sept 2024
Privacy-by-design and Users control should prevail in the respect of the EU fundamental rights Eurosmart has listed several privacy concerns that deserve clarification in the implementing act integrity and core functionalities. These concerns are echoing Eurosmarts comments on the certification implementing act that consider that privacy and security cannot be achieved without the use of high-quality cryptographic mechanisms: secure certified hardware. Eurosmarts concerns (see attached document): - Data recovery and portability must adhere to privacy principles, ensuring their integrity and authenticity. - Wallet revocation: Wallet users control on his personal data should prevail. - Clarify transition measures for eIDAS 1 Secure Signature Creation Devices (SSCDs).
Read full response29 Oct 2023
Eurosmart and its members are delighted to be able to contribute to the implementation of the first European certification scheme. This initial scheme underscores the rigor and technical expertise of common criteria in Europe, an area in which Eurosmart and its members have been active contributors for many years. The release of this implementing regulation represents a substantial stride towards a more cyber-resilient Europe. While commending the efforts of the Commission, the Member States, and ENISA, Eurosmart also wishes to provide constructive feedback for the scheme's practical implementation. Eurosmart has categorized its feedback into two parts. The first part highlights elements deemed highly critical, requiring necessary modifications. The second part focuses on elements that Eurosmart believes should receive additional technical implementation clarifications. Moreover, Eurosmart encourages the legislator to pay special attention to the following points: 1. Mutual recognition: International recognition remains a significant uncertainty for many stakeholders, whilst international recognition is essential for businesses. Member States should uphold mutual recognition rules, particularly the Common Criteria Recognition Arrangement (CCRA), until the European Union Cybersecurity Certification (EUCC) has an equivalent agreement with international communities. Additionally, the text does not include provisions for recognizing Protection Profiles (PP) that have been recognized outside the EU (as mentioned on the CC portal). 2. Transitional period and SOG-IS transposition: In line with the Cybersecurity Act, the text envisions an abrupt termination of national schemes, while some certificates may remain valid. The management of these certificates remains unresolved. The current text does not explicitly outline a clear transposition procedure. Eurosmart advocates for a 2-year grace period remains a transitional solution and does not resolve the issue of mutual recognition. Within 2 years, SOGIS certificates must be transitioned into EUCC certificates. The question that remains is how the transposition of SOGIS and the implementation of the EUCC will simplify and enhance the efficiency of certifications within the already extensively employed technical domains, where there is a significant demand for such streamlining. 3. Monitoring Activities and Other Additional Efforts: under Chapter V Many provisions are described that will result in additional efforts for Certification Authorities (CABs) and Information Technology Security Evaluation Facilities (ITSEFs). The text does not specify who will bear these costs. 4. Scheme Maintenance: there are few references to scheme maintenance in the text. An ad-hoc working group from ENISA (TG-M) has developed an ISAC (Information Sharing and Analysis Centre) proposal to ensure the continuity of Joint Interpretation Library Working Groups (JIL-WGs). The recitals in the current text only refer to subgroups within ECCG by technical domains. Limiting it to such an approach might not be very neither encouraging for the in-depth involvement of private stakeholders, nor stimulating an efficient collaboration between public and private actors. 5. List of SOTA Documents: the implementing act refers to dynamic documents initiated by the ECCG. However, by referencing a certain number of documents in the annex of this act, their legal updates become exceedingly complex. Furthermore, the list of Protection Profiles (PPs) does not appear to be up to date. Will future PPs require a new delegated act to be referenced?
Read full responseResponse to Evaluation of Standardisation Regulation (EU) No 1025/2012
29 Sept 2023
The European Harmonised Standards (hEN) have been demonstrated to effectively ease the burden on lawmakers and encourage a pragmatic and technical approach to regulation, ultimately fostering an environment conducive to interoperability, safety, and innovation. The legal model, known as the New Legislative Framework (NLF), aims to distinctly separate the process of establishing legal requirements, outlined in harmonisation legislation by the European legislator, from the technical specification aspect, carried out through harmonised European Standards by European Standardisation Organisations involving national experts . In the course of the call for evidence launched by the European Commission to evaluate Regulation 1025/2012, Eurosmart is pleased to address remarks related to the relevance of the European Standardisation System and its governance when it comes to compliance with the upcoming safety-related piece of legislation.
Read full responseResponse to Revision of the Directive on Driving Licences
31 May 2023
Eurosmart, the leading European association representing the digital security industry, welcomes the European Commissions approach to give citizens the choice of their driving licence format. This technology-agnostic standpoint aligns with a holistic vision of inclusion without discrimination and empowering citizens with their data. Our organisation is pleased to share its feedback on specific aspects of the proposed Directive on Driving Licences revision. (see attached) 1/ Maintain high level of service availability for driving licence inspection 2/ New physical driving Licence format 3/ Homogeneous and high level of security of all identification documents across Europe 4/ Leverage on international standards for the technical specification of chip-based driving licence instead of a non-standard specification 5/ Clarify the link between the mobile driving licence and the EU Digital Identity Wallet 6/ Business model of the mobile driving licence 7/ Security of the mobile driving licence 8/ Private sector access to mobile driving licence 9/ The specification of the mobile driving licence contains substantial ambiguities which could impede successful deployment and interoperability 10/ Leverage as much as possible existing international standards and avoid non-standard implementation
Read full response